From 56f4f279a5a5bfb2d919f2e603c8551f422e932f Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Tue, 4 Feb 2020 08:59:33 +0100 Subject: [PATCH] guardian: Add upstream patch for HTTP parser. Fixes #12289. Signed-off-by: Stefan Schantl Reviewed-by: Michael Tremer Signed-off-by: Arne Fitzenreiter --- lfs/guardian | 5 ++- src/patches/guardian-2.0.2-http-parser.patch | 45 ++++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 src/patches/guardian-2.0.2-http-parser.patch diff --git a/lfs/guardian b/lfs/guardian index a40480c0c8..3e2c3347f5 100644 --- a/lfs/guardian +++ b/lfs/guardian @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = guardian -PAK_VER = 18 +PAK_VER = 19 DEPS = "perl-inotify2 perl-Net-IP" @@ -79,6 +79,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE) + # Add upstream patches. + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/guardian-2.0.2-http-parser.patch + # Adjust path for firewall binaries. cd $(DIR_APP) && sed -i "s|/usr/sbin/|/sbin/|g" modules/IPtables.pm diff --git a/src/patches/guardian-2.0.2-http-parser.patch b/src/patches/guardian-2.0.2-http-parser.patch new file mode 100644 index 0000000000..1ecae658cc --- /dev/null +++ b/src/patches/guardian-2.0.2-http-parser.patch @@ -0,0 +1,45 @@ +commit 5028c7fde1fa15e4960f2fec3c025d0338382895 +Author: Stefan Schantl +Date: Tue Feb 4 07:55:48 2020 +0100 + + Parser: Adjust HTTP parser to be compatible with newer log format. + + Signed-off-by: Stefan Schantl + +diff --git a/modules/Parser.pm b/modules/Parser.pm +index 3880228..bcca88f 100644 +--- a/modules/Parser.pm ++++ b/modules/Parser.pm +@@ -302,7 +302,7 @@ sub message_parser_httpd (@) { + # been passed. + foreach my $line (@message) { + # This will catch brute-force attacks against htaccess logins (username). +- if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) { ++ if ($line =~ /.*\[client (.*)\] .* user(.*) not found:.*/) { + # Store the grabbed IP-address. + $address = $1; + +@@ -311,7 +311,7 @@ sub message_parser_httpd (@) { + } + + # Detect htaccess password brute-forcing against a username. +- elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) { ++ elsif ($line =~ /.*\[client (.*)\] .* user(.*): authentication failure for.*/) { + # Store the extracted IP-address. + $address = $1; + +@@ -321,6 +321,14 @@ sub message_parser_httpd (@) { + + # Check if at least the IP-address information has been extracted. + if (defined ($address)) { ++ # Check if the address also contains a port value. ++ if ($address =~ m/:/) { ++ my ($add_address, $port) = split(/:/, $address); ++ ++ # Only process the address. ++ $address = $add_address; ++ } ++ + # Add the extracted values and event message to the actions array. + push(@actions, "count $address $name $message"); + } -- 2.39.2